KEYCLOAK-14197 Client Policy - Condition : Client - Client Host

This commit is contained in:
Takashi Norimatsu 2020-11-19 11:44:54 +09:00 committed by Marek Posolda
parent cd9e01af90
commit a51e0cc484
6 changed files with 305 additions and 216 deletions

View file

@ -1,90 +0,0 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import java.util.Collections;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
import org.keycloak.services.clientpolicy.ClientPolicyVote;
public class ClientIpAddressCondition implements ClientPolicyConditionProvider {
private static final Logger logger = Logger.getLogger(ClientIpAddressCondition.class);
private final KeycloakSession session;
private final ComponentModel componentModel;
public ClientIpAddressCondition(KeycloakSession session, ComponentModel componentModel) {
this.session = session;
this.componentModel = componentModel;
}
@Override
public String getName() {
return componentModel.getName();
}
@Override
public String getProviderId() {
return componentModel.getProviderId();
}
@Override
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
switch (context.getEvent()) {
case TOKEN_REQUEST:
case TOKEN_REFRESH:
case TOKEN_REVOKE:
case TOKEN_INTROSPECT:
case USERINFO_REQUEST:
case LOGOUT_REQUEST:
if (isIpAddressMatched()) return ClientPolicyVote.YES;
return ClientPolicyVote.NO;
default:
return ClientPolicyVote.ABSTAIN;
}
}
private boolean isIpAddressMatched() {
String ipAddr = session.getContext().getConnection().getRemoteAddr();
List<String> expectedIpAddresses = componentModel.getConfig().get(ClientIpAddressConditionFactory.IPADDR);
if (expectedIpAddresses == null) expectedIpAddresses = Collections.emptyList();
if (logger.isTraceEnabled()) {
ClientPolicyLogger.log(logger, "ip address = " + ipAddr);
expectedIpAddresses.stream().forEach(i -> ClientPolicyLogger.log(logger, "ip address expected = " + i));
}
boolean isMatched = expectedIpAddresses.stream().anyMatch(i -> i.equals(ipAddr));
if (isMatched) {
ClientPolicyLogger.log(logger, "ip address matched.");
} else {
ClientPolicyLogger.log(logger, "ip address unmatched.");
}
return isMatched;
}
}

View file

@ -1,74 +0,0 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import java.util.ArrayList;
import java.util.List;
import org.keycloak.Config.Scope;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
public class ClientIpAddressConditionFactory implements ClientPolicyConditionProviderFactory {
public static final String PROVIDER_ID = "client-ipaddr-condition";
public static final String IPADDR = "ipaddr";
private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
static {
ProviderConfigProperty property;
property = new ProviderConfigProperty(IPADDR, PROVIDER_ID + ".label", PROVIDER_ID + ".tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, "0.0.0.0");
configProperties.add(property);
}
@Override
public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
return new ClientIpAddressCondition(session, model);
}
@Override
public void init(Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getHelpText() {
return "It uses the client's IP address to determine whether the policy is applied.";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return configProperties;
}
}

View file

@ -0,0 +1,164 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.LinkedList;
import java.util.List;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
import org.keycloak.services.clientpolicy.ClientPolicyVote;
public class ClientUpdateSourceHostsCondition implements ClientPolicyConditionProvider {
private static final Logger logger = Logger.getLogger(ClientUpdateSourceHostsCondition.class);
private final KeycloakSession session;
private final ComponentModel componentModel;
public ClientUpdateSourceHostsCondition(KeycloakSession session, ComponentModel componentModel) {
this.session = session;
this.componentModel = componentModel;
}
@Override
public String getName() {
return componentModel.getName();
}
@Override
public String getProviderId() {
return componentModel.getProviderId();
}
@Override
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
switch (context.getEvent()) {
case REGISTER:
case UPDATE:
if (!isHostMustMatch()) return ClientPolicyVote.ABSTAIN;
if (isHostMatched()) return ClientPolicyVote.YES;
return ClientPolicyVote.NO;
default:
return ClientPolicyVote.ABSTAIN;
}
}
private boolean isHostMatched() {
String hostAddress = session.getContext().getConnection().getRemoteAddr();
ClientPolicyLogger.logv(logger, "Verifying remote host {0}", hostAddress);
List<String> trustedHosts = getTrustedHosts();
List<String> trustedDomains = getTrustedDomains();
// Verify trustedHosts by their IP addresses
String verifiedHost = verifyHostInTrustedHosts(hostAddress, trustedHosts);
if (verifiedHost != null) {
return true;
}
// Verify domains if hostAddress hostname belongs to the domain. This assumes proper DNS setup
verifiedHost = verifyHostInTrustedDomains(hostAddress, trustedDomains);
if (verifiedHost != null) {
return true;
}
return false;
}
protected List<String> getTrustedHosts() {
List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
return trustedHostsConfig.stream().filter((String hostname) -> {
return !hostname.startsWith("*.");
}).collect(Collectors.toList());
}
protected List<String> getTrustedDomains() {
List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
List<String> domains = new LinkedList<>();
for (String hostname : trustedHostsConfig) {
if (hostname.startsWith("*.")) {
hostname = hostname.substring(2);
domains.add(hostname);
}
}
return domains;
}
protected String verifyHostInTrustedHosts(String hostAddress, List<String> trustedHosts) {
for (String confHostName : trustedHosts) {
try {
String hostIPAddress = InetAddress.getByName(confHostName).getHostAddress();
ClientPolicyLogger.logv(logger, "Trying host {0} of address {1}", confHostName, hostIPAddress);
if (hostIPAddress.equals(hostAddress)) {
ClientPolicyLogger.logv(logger, "Successfully verified host : {0}", confHostName);
return confHostName;
}
} catch (UnknownHostException uhe) {
ClientPolicyLogger.logv(logger, "Unknown host from realm configuration: {0}", confHostName);
}
}
return null;
}
protected String verifyHostInTrustedDomains(String hostAddress, List<String> trustedDomains) {
if (!trustedDomains.isEmpty()) {
try {
String hostname = InetAddress.getByName(hostAddress).getHostName();
ClientPolicyLogger.logv(logger, "Trying verify request from address {0} of host {1} by domains", hostAddress, hostname);
for (String confDomain : trustedDomains) {
if (hostname.endsWith(confDomain)) {
ClientPolicyLogger.logv(logger, "Successfully verified host {0} by trusted domain {1}", hostname, confDomain);
return hostname;
}
}
} catch (UnknownHostException uhe) {
ClientPolicyLogger.logv(logger, "Request of address {0} came from unknown host. Skip verification by domains", hostAddress);
}
}
return null;
}
boolean isHostMustMatch() {
return parseBoolean(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH);
}
// True by default
private boolean parseBoolean(String propertyKey) {
String val = componentModel.getConfig().getFirst(propertyKey);
return val==null || Boolean.parseBoolean(val);
}
}

View file

@ -0,0 +1,88 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import java.util.Arrays;
import java.util.List;
import org.keycloak.Config.Scope;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ConfigurationValidationHelper;
import org.keycloak.provider.ProviderConfigProperty;
public class ClientUpdateSourceHostsConditionFactory implements ClientPolicyConditionProviderFactory {
public static final String PROVIDER_ID = "clientupdatesourcehost-condition";
public static final String TRUSTED_HOSTS = "trusted-hosts";
public static final String HOST_SENDING_REQUEST_MUST_MATCH = "host-sending-request-must-match";
private static final ProviderConfigProperty TRUSTED_HOSTS_PROPERTY = new ProviderConfigProperty(TRUSTED_HOSTS, "clientupdate-trusted-hosts.label", "clientupdate-trusted-hosts.tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, null);
private static final ProviderConfigProperty HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY = new ProviderConfigProperty(HOST_SENDING_REQUEST_MUST_MATCH, "host-sending-request-must-match.label",
"host-sending-request-must-match.tooltip", ProviderConfigProperty.BOOLEAN_TYPE, "true");
@Override
public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
return new ClientUpdateSourceHostsCondition(session, model);
}
@Override
public void init(Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getHelpText() {
return "The condition checks the host/domain of the entity who tries to create/update the client to determine whether the policy is applied.";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return Arrays.asList(TRUSTED_HOSTS_PROPERTY, HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY);
}
@Override
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException {
ConfigurationValidationHelper.check(config)
.checkBoolean(HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY, true);
ClientUpdateSourceHostsCondition policy = new ClientUpdateSourceHostsCondition(session, config);
if (!policy.isHostMustMatch()) {
throw new ComponentValidationException("At least one of hosts verification must be enabled");
}
}
}

View file

@ -1,5 +1,5 @@
org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory
org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory
org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory
org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory
org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory
org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory

View file

@ -81,9 +81,9 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyProvider;
import org.keycloak.services.clientpolicy.DefaultClientPolicyProviderFactory;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider;
import org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory;
import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
@ -97,7 +97,9 @@ import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmEnforce
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
@ -733,43 +735,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
}
@Test
public void testClientIpAddressCondition() throws ClientRegistrationException, ClientPolicyException {
String policyName = "MyPolicy";
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
logger.info("... Created Policy : " + policyName);
createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("0.0.0.0", "127.0.0.1")));
});
registerCondition("ClientIpAddressCondition", policyName);
logger.info("... Registered Condition : ClientIpAddressCondition");
createExecutor("PKCEEnforceExecutor", PKCEEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
setExecutorAugmentDeactivate(provider);
});
registerExecutor("PKCEEnforceExecutor", policyName);
logger.info("... Registered Executor : PKCEEnforceExecutor");
String clientId = "Zahlungs-App";
String clientSecret = "secret";
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
});
try {
failTokenRequestByNotFollowingPKCE(clientId, clientSecret);
updateCondition("ClientIpAddressCondition", (ComponentRepresentation provider) -> {
setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("10.255.255.255")));
});
successfulLoginAndLogout(clientId, clientSecret);
} finally {
deleteClientByAdmin(cid);
}
}
@Test
public void testSecureSessionEnforceExecutor() throws ClientRegistrationException, ClientPolicyException {
String policyBetaName = "MyPolicy-beta";
@ -1031,14 +996,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
registerCondition("ClientAccessTypeCondition", policyName);
logger.info("... Registered Condition : ClientAccessTypeCondition");
policyName = "MyPolicy-ClientIpAddressCondition";
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
logger.info("... Created Policy : " + policyName);
createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
});
registerCondition("ClientIpAddressCondition", policyName);
logger.info("... Registered Condition : ClientIpAddressCondition");
policyName = "MyPolicy-ClientScopesCondition";
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
logger.info("... Created Policy : " + policyName);
@ -1078,6 +1035,49 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
}
}
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientUpdateSourceHostsCondition() throws ClientRegistrationException, ClientPolicyException {
String policyName = "MyPolicy";
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
logger.info("... Created Policy : " + policyName);
createCondition("ClientUpdateSourceHostsCondition", ClientUpdateSourceHostsConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("localhost", "127.0.0.1")));
});
registerCondition("ClientUpdateSourceHostsCondition", policyName);
logger.info("... Registered Condition : ClientUpdateSourceHostsCondition");
createExecutor("SecureClientAuthEnforceExecutor", SecureClientAuthEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
setExecutorAcceptedClientAuthMethods(provider, new ArrayList<>(Arrays.asList(
JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID)));
});
registerExecutor("SecureClientAuthEnforceExecutor", policyName);
logger.info("... Registered Executor : SecureClientAuthEnforceExecutor");
String clientAlphaId = "Alpha-App";
String clientAlphaSecret = "secretAlpha";
try {
createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientAlphaSecret);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(Errors.INVALID_REGISTRATION, e.getMessage());
}
String cAlphaId = null;
try {
updateCondition("ClientUpdateSourceHostsCondition", (ComponentRepresentation provider) -> {
setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("example.com")));
});
cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientAlphaSecret);
});
} finally {
deleteClientByAdmin(cAlphaId);
}
}
private AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor(String clientId) throws URISyntaxException {
AuthorizationEndpointRequestObject requestObject = new AuthorizationEndpointRequestObject();
requestObject.id(KeycloakModelUtils.generateId());
@ -1529,10 +1529,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
provider.getConfig().put(ClientRolesConditionFactory.ROLES, clientRoles);
}
private void setConditionClientIpAddress(ComponentRepresentation provider, List<String> clientIpAddresses) {
provider.getConfig().put(ClientIpAddressConditionFactory.IPADDR, clientIpAddresses);
}
private void setConditionClientScopes(ComponentRepresentation provider, List<String> clientScopes) {
provider.getConfig().put(ClientScopesConditionFactory.SCOPES, clientScopes);
}
@ -1541,6 +1537,11 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
provider.getConfig().put(ClientAccessTypeConditionFactory.TYPE, clientAccessTypes);
}
private void setConditionClientUpdateSourceHosts(ComponentRepresentation provider, List<String> hosts) {
provider.getConfig().putSingle(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH, "true");
provider.getConfig().put(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS, hosts);
}
private void setExecutorAugmentActivate(ComponentRepresentation provider) {
provider.getConfig().putSingle("is-augment", Boolean.TRUE.toString());
}